Build fully isolated multi-tenant lab networks on Proxmox with guided VPN setup.
Getting Started
Personal(FREE) Quickstart
apt update -y
apt install -y git ipcalc jq zip
git clone https://github.com/zelogx/msl-setup.git
cd msl-setup
# Phase 0: TUI Network Auto Configuration (Check existing network + Automatic network config)
./00_configNetwork.sh en # Language: en|jp (default en)
# Phase 1: Network Setup (check config + SDN setup)
./01_networkSetup.sh en # Language: en|jp (default en)
# After Phase 1, configure router static routes and port-forwarding before Phase 2.
# After manual configuration, proceed to next step
./02_vpnSetup.sh en # Language: en|jp (default en)
# Phase 3 (Pro Corporate only): RBAC Self-Care Portal Setup
./0301_setupSelfCarePortal.sh en # Language: en|jp (default en)
# (Optional) Uninstall MSL setup completely
./99_uninstall.sh en # Language: en|jp (default en)
# This will:
# 1. Destroy Pritunl VM (calls 0201_createPritunlVM.sh --destroy)
# 2. Restore network configuration to backup state (calls 0102_setupNetwork.sh --restore)
# (Optional) Cluster operation commands
# No action is required if the Proxmox cluster was already enabled during the initial setup in v2.0 or later.
mslcm enable-cluster # Promote MSL Setup to a cluster-enabled configuration
mslcm disable-cluster # Revert MSL Setup to a single-node configuration
mslcm add-node <IP address> # Add a node to the MSL Setup cluster configuration
mslcm del-node <IP address> # Remove a node from the MSL Setup cluster configuration
Reference for the addresses you will review or enter during Phase 0
Network Planning
a. MainLAN (existing vmbr0): (e.g., 192.168.77.0/24 GW: .254)
The network address of your company or home lab’s Main LAN.
b. Proxmox PVE’s MainLAN IP: (e.g., 192.168.77.7)
This becomes the destination IP when adding a static route to the Internet router.
c. vpndmzvn (new): (e.g., 192.168.80.0/24 GW: 192.168.80.1)
Route used by VPN clients to access tenant subnets.
Requires at least a /30 network.
d. Client IP pool: (e.g., 192.168.81.0/24)
Separated for wg and ovpn. e.g. 192.168.81.2–126/25 for OpenVPN, 192.168.81.129–254/25 for WireGuard
e. Number of tenants to create: (e.g., 8)
Minimum is 2, and must be a power of two: 2, 4, 8, 16, etc.
f. Network address assigned to each tenant (vnetpjxx) (new): (e.g., 172.16.16.0/20)
Network segment for each tenant.
g. Pritunl MainLAN-side IP: (e.g., 192.168.77.10)
This becomes the destination IP when adding port-forwarding rules on the Internet router.
h. Pritunl vpndmzvn-side IP: (e.g., 192.168.80.2)
Subnet used by VPN clients when they exit toward each tenant’s subnet.
i. UDP ports:
Number of tenants × 2 = (16)
MSL Setup Personal (FREE) features
We automate all Basic workflows to perform repeatable builds; router static routes and port-forwarding remain manual. We also provide helpers to build and configure a Pritunl VM and its initial server settings. With these automations, tasks that used to take days can typically be completed in about 10 minutes (excluding router changes).
Select the number of isolated tenants (e.g. 2, 4, 8, 16). Network addresses, Pritunl VM IP addresses, and VPN port numbers are all flexible and configurable to fit your environment.
User-friendly safety: automatically detect network addresses, avoid collisions by proposing non-conflicting addresses, and restore SDN/firewall settings before runs to prevent misconfiguration.
Auto-apply and restore support for Proxmox SDN and firewall settings. VXLAN-based isolated tenant networks in v2.0.
Automated advanced reachability checker that validates main-router port-forward behavior and verifies Pritunl VM reachability to each isolated network gateway.
Write auto-configured Pritunl setup references and network diagrams into host Notes.
Guides are provided for connecting VMs to each isolated network and for operating VPN access users.
Suitable for freelancers and personal isolated environments.